Authentication in a wireless telecommunications network

ABSTRACT

To facilitate authentication over a wireless access network, it is proposed to provide a hub device having an authentication storage means (i.e. a (U)SIM) to which one or more machine devices are connected. Each machine devices connects to a wireless access network and in order to authenticate with that network requests authentication information from the hub device. The core network of the wireless access network, authenticates each machine device and provides the machine devices with parallel access to the access network in accordance with authentication information obtained from the hub device. The authentication information is unique to the respective machine device but also associated with information stored on the authentication storage means of the hub device.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a U.S. Nationalization of International ApplicationNumber PCT/GB2011/051718, filed on Sep. 14, 2011, which claims priorityto United Kingdom Patent Application No. 1015322.9, filed on Sep. 14,2010, the entireties of which are incorporated herein by reference.

FIELD OF THE INVENTION

The invention relates to a method for authenticating large numbers ofdevices to a wireless telecommunications network.

BACKGROUND TO THE INVENTION

As a consequence of the decreasing costs of wireless telecommunicationsapparatus, tighter safety and climate regulation and vigorous marketcompetition, an ever increasing number of devices (“machines”) are beingprovided with wireless telecommunications apparatus to facilitateadditional information services. A particular driving factor in thistrend has been the provision of wireless services to so-called machineto machine (M2M) solutions.

The term “M2M” has been used to describe applications in such diversefields as: tracking and tracing; payment; remote maintenance; automotiveand electronic toll; metering; and consumer devices. The augmentation ofM2M to allow wireless communications between devices (often referred toas mobile M2M) makes new services possible in some cases (within theautomotive industry, for instance) and in others extends existing M2Mservices (within the field of smart metering).

With mobile M2M, machines numbering in the order of millions and locatedanywhere within mobile network coverage, can be simultaneously monitoredto provide real-time information that an individual or enterprise cananalyze and act upon.

It is predicted that large numbers of “machines” will require access towide-area mobile networks (such as the GSM, GPRS and/or 3G cellularnetworks). Each of these machines may only require authentication veryoccasionally but may have all the basic equipment to allow connection toat least one access network when that is required. However, justrequiring that each device be allowed to authenticate itself to thenetwork from time to time, may undermine the benefits of certain mobileM2M services (particularly those services that are predicated on a lowcost machine/service).

Consider the implications of providing all such devices with a separate,provisioned SIM card. For each SIM card, the network operator mustcreate a corresponding subscription and “provision” the SIM with a validMSISDN corresponding to that subscription (i.e. a telephone number),both for the reservation of the MSISDN (regulators such as the ITUassign ranges of MSISDN numbers to operating companies) and overheads inregistering the selected number for use with a given access network.

Where that SIM appears no longer (or never to have been) used for apredetermined period, the network operators typically note this fact andinitiate a “quarantine” process for returning the telephone number tothe set of available numbers. Of course, this quarantining process hasan associated cost: so too does reassigning that MSISDN number asultimately will happen when it is confirmed unused after the quarantineperiod expires.

As the reader will readily appreciate, the provisioning of SIMs that areinfrequently or never used represents a distinct inconvenience to thenetwork operator. While this inconvenience is significant whenconsidering the conventional provision of mobile telephones and datacard/modems with SIMs, SIM-enablement of “machines” present additionalproblems simply by virtue of the number of these devices and theirtypical (low and sporadic) frequency of use. M2M applications areexpected to increase significantly the number of unused or infrequentlyused SIMs and to cause a consequently greater level of disruption to thenetwork operator who wishes to enable such devices. All the additionalcosts in terms of provisioning, quarantining (or keeping minimallyactive) etc of such machines can be relatively expensive and whencompared with the potential market for the mobile M2M service may befound incompatible with low cost services.

Alternatively devices could have a “soft SIM” (a SIM module in softwareor firmware) instead, but this has major security issues, and there isstill significant cost to the network operator (requiring heavy usage ofthe core network components in particular the home location register(HLR) and the authentication centre (AuC)) and arrangingprovisioning/creating subscriptions.

In a further alternative, it would be possible for devices to have someother form of authentication technology. However such a solution wouldrequire major network re-design, and could potentially preventsconnection onto existing 3G and GSM networks.

It is therefore an object of the invention to obviate or at leastmitigate the aforementioned problems.

In accordance with one aspect of the present invention, there isprovided a system for facilitating authentication over a wireless accessnetwork, the system comprising:

a hub device having an authentication storage means, which is operableto provide authentication information during an authentication process;

at least one machine device being operable to connect to the wirelessaccess network and having a communication interface with the hub device,through which a request for authentication information is made; and

a core network, which is operable to authenticate each machine deviceand provide said machine devices with parallel access to one or moreaccess networks in accordance with authentication information obtainedfrom the hub device.

It is preferred that a plurality of machine devices are provided withparallel access and the authentication information obtained from the hubdevice for each machine device includes a corresponding temporaryidentifier (such as the TMSI for UTRAN or GUTI for LTE) and a distinctkey association (e.g. in LTE, K_ASME), each corresponding temporaryidentifier being related to a permanent identifier (e.g. an IMSI)associated with the hub device.

BRIEF DESCRIPTION OF THE DRAWINGS

For a better understanding of the present invention, reference will nowbe made, by way of example only, to the accompanying drawings in which:

FIG. 1 illustrates the operation of the present invention.

FIG. 2 illustrates a method of the present invention according to oneembodiment.

FIG. 3 illustrates a method of the present invention according to oneembodiment.

FIG. 4 illustrates a method of the present invention according to oneembodiment.

FIG. 5 illustrates a method of the present invention according to oneembodiment.

DETAILED DESCRIPTION

Rather than provide each machine with its own SIM and tolerate the levelof signalling that that would entail, the invention facilitatesauthentication of multiple devices using the same (U)SIM.

Typically, as shown in FIG. 1, the devices 100 are joined to aSIM-containing device 102 (referred to hereafter as the “hub” device)via a variety of short-range connections (USB, WLAN, ZigBee ®, NFC etc.)and/or long-range connections and secure channels.

When each device 100 needs to authenticate to a wide-area mobile network(or heterogeneous access network) it forwards a challenge to the (U)SIM104 and receives back a RES and key material (Kc or CK∥IK).

Multiple devices can thus be connected substantially simultaneously,each with a distinct TMSI (or in LTE, GUTI) and key association (in LTE,K_ASME) but all related to the underlying IMSI, and billed against thesame subscription.

To facilitate this behaviour in a cellular telecommunications accessnetwork (such as a GSM network, 3G network or LTE network), some changesto the HLR 106 and other parts of the core network 108 are required. Ina first instance, the HLR must track multiple devices at once, andsingle out a “master” device (for example, the hub device) to receiveincoming calls, SMS etc. In an alternative, the HLR may only track the“master” device, on the assumption that the other devices never need tobe routed to (i.e. they have data-only connections and there is noincoming traffic accepted).

A number of mechanisms are available to indicate to the HLR which deviceis the “master”, examples include: a special flag in the IMSI (dedicatedbit) which indicates when connecting or doing location-updates with themaster; or use of the IMEI which is presented at connection or locationupdate (with a separate record indicating which device is the master).

Further core network changes are necessitated by the invention:

The visitor location register (VLR) 110, associated with a mobileswitching centre (MSC) currently maintains only one record per IMSI,with associated TMSI and Kc (or CK∥IK for UMTS). To support the above,the VLR must maintain multiple records i.e. same IMSI may have multipleTMSIs at once, and the VLR must associate each TMSI with correspondingIMEI.

The HLR may maintain multiple records per IMSI, and associate eachrecord with IMEI so it can track each device's location. This requiresIMEI to be reported to HLR along with IMSI during Location Updates. Thiscan be done using techniques such as the “Automatic Device Detection”facility standardised in 3GPP Release 6

Alternatively, the HLR only tracks the location of one device (e.g.“master” device for incoming calls, SMS etc.). Location Updates with the“master” device conveniently report a base IMSI (say IMSI_(—)0) andother devices report an offset IMSI, say IMSI_(—)0+1. The HLR then needonly track updates reporting IMSI_(—)0.

FIG. 2 illustrates one embodiment 120 of a method for facilitatingauthentication of machine devices over one or more wireless accessnetworks via a hub device having an authentication storage means. Atstep 122, the hub device receives requests for authenticationinformation from a plurality of machine devices. At step 124, the hubdevice responds to each request with authentication information thatincludes a corresponding temporary identifier and a distinct keyassociation, each corresponding temporary identifier being related to apermanent identifier associated with the hub device. At step 126, thecore network associated with the one or more wireless access networksreceives the corresponding temporary identifier and distinct keyassociation from each machine device. At step 128, the core networkauthenticates each machine device to provide each machine device, inparallel with the other machine devices, access to access the one ormore access networks.

FIG. 3 illustrates another embodiment 140 of a method for facilitatingauthentication of machine devices over one or more wireless accessnetworks via a hub device having an authentication storage means. Steps142-148 are identical to steps 122-128 of method 120. However, method140 includes an additional step 150. At step 150, the core networkstores in the VLR a temporary record for each active machine device suchthat each record is associated with the permanent identifier of the hubdevice.

FIG. 4 illustrates another embodiment 160 of a method for facilitatingauthentication of machine devices over one or more wireless accessnetworks via a hub device having an authentication storage means. Steps162-168 are identical to steps 122-128 of method 120. However, method160 includes an additional step 170. At step 170, the core networkassociates each record of an HLR database of records of a plurality oftemporary identifiers related to the shared permanent identifier with acorresponding machine device identifier to enable tracking of eachmachine device.

FIG. 5 illustrates another embodiment 180 of a method for facilitatingauthentication of machine devices over one or more wireless accessnetworks via a hub device having an authentication storage means. Steps182-188 are identical to steps 122-128 of method 120. However, method180 includes an additional step 190. At step 190, the core networkdetermines, by the HLR, a master device to which incoming communicationsfor the machine devices are to be directed.

A number of implementations may be considered:

In a first embodiment, consider a vast array of sensors in a building oron a campus. With the present invention, a single SIM-holding device, towhich sensors are locally connected, may be used to performauthentication on behalf of each sensor. Sensors have a low bandwidthradio (just to confirm that they are “OK” or “alert” every so often).The SIM-holding device is preferably portable (e.g. a security guardcarrying a mobile phone); devices only temporarily in range.

In another embodiment, sensors are installed on parcels, delivery cratesetc. travelling away from a depot, then back again, or between depots.They connect to the SIM-holding device when in depot.

In a third embodiment, consider a home energy system with multipledevices reporting usage, adapting usage, sending alarms etc. In thiscase the SIM-holding device is the home owner's mobile phone; and theowner is only around in the evening.

The invention claimed is:
 1. A system for facilitating authentication ofmachine devices over a wireless access network, the system comprising: ahub device having an authentication storage means operable to provideauthentication information during an authentication process; a pluralityof machine devices each operable to connect to a wireless access networkand each having a communication interface with the hub device, throughwhich requests for authentication information are made to the hubdevice; and a core network operable to authenticate each machine device;wherein, during the authentication process, the hub device is operableto respond to each request with authentication information that includesa corresponding temporary identifier and a distinct key association,each corresponding temporary identifier being related to a permanentidentifier associated with the hub device, wherein the authenticationinformation provided to the machine devices enables said machine devicesto be concurrently authenticated with the core network so as to allowthe machine devices to concurrently access the wireless access network,wherein the core network includes a home location register operable tomaintain a database of records of the temporary identifierscorresponding to the authenticated machine devices so as to associateeach temporary identifier with the permanent identifier of the hubdevice and to associate each record with the corresponding machinedevice identifier to enable tracking of the location of each machinedevice, the home location register also being operable to identify amaster device as representative of the plurality of machine devicesassociated with the hub device by incorporating a flag in the permanentidentifier or the temporary identifiers, or by using a base as thepermanent identifier and offsets from the base as the temporaryidentifiers, and wherein the core network includes a visitor locationregister for storing temporary records corresponding to the machinedevices that are authenticated with the core network, wherein thevisited location register is configured to store a record for eachauthenticated machine device, such that each temporary record is relatedto the permanent identifier of the hub device.
 2. The system as claimedin claim 1, wherein the requests for authentication information arechallenges to the authentication storage means and wherein theauthentication information obtained from the hub device includes keymaterial.
 3. The system as claimed in claim 1, wherein the a homelocation register is operable to redirect to the master device allincoming communications directed to any of the machine devices, themaster device being the hub or one of the machine devices.
 4. The systemas recited in claim 1, wherein the permanent identifier associated withthe hub device is an International Mobile Subscriber Identity (IMSI). 5.The system as recited in claim 1, wherein the authentication storagemeans comprises a Subscriber Identity Module (SIM).
 6. The system asrecited in claim 1, wherein the base is an International MobileSubscriber Identity (IMSI) and the temporary identifiers are offset fromthe IMSI.
 7. A method for facilitating concurrent authentication ofmachine devices via a hub device having an authentication storage means,the method comprising: at the hub device, receiving requests forauthentication information from each of a plurality of machine devices;and responding to each request with authentication information thatincludes a corresponding temporary identifier and a distinct keyassociation, each corresponding temporary identifier being related to apermanent identifier associated with the hub device; in each of themachine devices, receiving the corresponding temporary identifier anddistinct key association from the hub device; and sending thecorresponding temporary identifier and distinct key association to acore network associated with a wireless access network; and in the corenetwork, receiving the corresponding temporary identifier and distinctkey association from each machine device, authenticating each machinedevice to provide said machine devices with concurrent access to thewireless access network; maintaining a home location register thatincludes records of the temporary identifiers corresponding to theauthenticated machine devices so as to associate each temporaryidentifier with the permanent identifier of the hub device and toassociate each record with the corresponding machine device identifierto enable tracking of the location of each machine device, the homelocation register being operable to identify a master device asrepresentative of the plurality of machine devices associated with thehub device by incorporating a flag in the permanent identifier or thetemporary identifiers, or by using a base as the permanent identifierand offsets from the base as the temporary identifiers; and storing atemporary record for each authenticated machine device in a visitorlocation register, such that each temporary record is related to thepermanent identifier of the hub device.
 8. The method as recited inclaim 7, further comprising redirecting to the master device allincoming communications directed to any of the machine devices, themaster device being the hub or one of the machine devices.
 9. The methodas recited in claim 7, wherein the permanent identifier associated withthe hub device is an International Mobile Subscriber Identity (IMSI).10. The method as recited in claim 7, wherein the base is anInternational Mobile Subscriber Identity (IMSI) and the temporaryidentifiers are offset from the IMSI.